[OWASP-Security101] Inquiry on csrf prevention solution

John Wilander john.wilander at owasp.org
Fri Apr 27 07:42:23 UTC 2012


Here you go:

Stateless CSRF Protection
http://appsandsecurity.blogspot.se/2012/01/stateless-csrf-protection.html

   Regards, John


2012/4/26 Sarah Baso <sarah.baso at owasp.org>

> All -
> We received the inquiry below via the OWASP Contact Us page, and thought
> this would be the appropriate forum to help!  I have cc'ed the sender for
> your response (and recommended that he subscribe to the list).
>
> Thanks!
> Sarah Baso
>
> -----------------------------------------------------------------------------------------------------------------------
>
> Hello,
>
> i want to discusse one idea i have to prevent rest requests from csrf
> atacks.
> I don't have read about some solution like that. So i want to find out if i
> missed somethink important. Additionaly if the soltution is usefull i want
> to share it.
>
> The Idea to prevent csrf in rest requests:
> - before the client send the ajax request(which i want to make csrf
> secure),
> a one time use random token is generated* (if this is not secure on client
> side this can be get from backend by an pre-REST
> request to the server).
> - this token will be put to cookie from js
> - this token will also be added per GET for the ajax request
> - the server will compare the both values
> - after the rest is successfull the client remove the value from the cookie
>
> for me this method seems realy secure. the token will only be used once.
> and an attackers's side as far as i know cant send a request with a custom
> self settet cookie header. as far as i know the browser sends allways the
> cookie header releated to the cookies which are set from responses of the
> owner domain or per js of that domain.
> Also this can be used for none REST requests if some JS magic will be
> adding
> the token to cookie and GET paramter before the submit action is invoced.
>
> * i think for common csrf-protection needs you can take a simple timestamp
> instead of the random created token. the atacker needs to brute force the
> timestamp in the time where one rest request will be processed. the time
> slot will mostly be very small.
>
> can someone please tell me if i have missed an important aspect?
>
> thx and best regards
> Andreas Schnapp
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org
>



-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
My music http://www.johnwilander.com & my résumé http://johnwilander.se


More information about the Security101 mailing list